elasticsearch 用于elasticsearch的kubernetes statefulset控制器特权初始化容器
我正在尝试使用init容器创建一个ElasticSearch有状态集(STS),以增加工作节点elasticsearch 用于elasticsearch的kubernetes statefulset控制器特权初始化容器,elasticsearch,kubernetes,elasticsearch,Kubernetes,我正在尝试使用init容器创建一个ElasticSearch有状态集(STS),以增加工作节点vm.max_map_count=262144,以及ulimit-n 65536 然而,据我所知,一些PodSecurityPolicy(PSP)否认私有容器的升级 警告失败创建1s(x12对11s)状态设置控制器 在StatefSet elasticsearch节点中创建Pod elasticsearch-node-0 失败错误:pods“elasticsearch-node-0”被禁止:无法 根据任
vm.max_map_count=262144
,以及ulimit-n 65536
然而,据我所知,一些PodSecurityPolicy(PSP)否认私有容器的升级
警告失败创建1s(x12对11s)状态设置控制器
在StatefSet elasticsearch节点中创建Pod elasticsearch-node-0
失败错误:pods“elasticsearch-node-0”被禁止:无法
根据任何pod安全策略进行验证:
[spec.initContainers[0]。securityContext.privileged:无效值:
true:不允许使用特权容器
spec.initContainers[1]。securityContext.privileged:无效值:
true:不允许使用特权容器]
事实上,集群中有2台PSP,既有特权又没有特权。我是否需要在STS中指定专用PSP?还是svc acc
k8s服务器版本是1.9.8-如果有必要的话
这是STS(带有一些头盔元素)
$kubectl描述sts elasticsearch节点
Name: elasticsearch-node
Namespace: default
CreationTimestamp: Tue, 12 Nov 2019 17:09:50 +0100
Selector: component=elasticsearch,role=node
Labels: component=elasticsearch
role=node
Annotations: <none>
Replicas: 2 desired | 0 total
Update Strategy: RollingUpdate
Partition: 824638159384
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels: component=elasticsearch
role=node
Init Containers:
increase-vm-max-map-count:
Image: busybox
Port: <none>
Host Port: <none>
Command:
sysctl
-w
vm.max_map_count=262144
Environment: <none>
Mounts: <none>
increase-ulimit:
Image: busybox
Port: <none>
Host Port: <none>
Command:
sh
-c
ulimit -n 65536
Environment: <none>
Mounts: <none>
Containers:
elasticsearch:
Image: docker.elastic.co/elasticsearch/elasticsearch:7.3.2
Ports: 9200/TCP, 9300/TCP
Host Ports: 0/TCP, 0/TCP
Limits:
cpu: 1
memory: 3Gi
Requests:
cpu: 250m
memory: 2Gi
Environment:
ES_JAVA_OPTS: -Xms2G -Xmx2G
Mounts:
/usr/share/elasticsearch/config/elasticsearch.yml from config (rw,path="elasticsearch.yml")
Volumes:
config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: elasticsearch-node
Optional: false
Volume Claims: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 1s (x17 over 78s) statefulset-controller create Pod elasticsearch-node-0 in StatefulSet elasticsearch-node failed error: pods "elasticsearch-node-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]
名称:elasticsearch节点
名称空间:默认值
CreationTimestamp:2019年11月12日星期二17:09:50+0100
选择器:组件=弹性搜索,角色=节点
标签:组件=弹性搜索
角色=节点
注释:
复制品:2份,共0份
更新策略:RollingUpdate
分区:824638159384
Pods状态:0正在运行/0正在等待/0成功/0失败
Pod模板:
标签:组件=弹性搜索
角色=节点
初始化容器:
增加vm最大映射计数:
图片:busybox
端口:
主机端口:
命令:
系统控制
-w
vm.max\u map\u count=262144
环境:
挂载:
增加ulimit:
图片:busybox
端口:
主机端口:
命令:
嘘
-c
乌利米特-n 65536
环境:
挂载:
容器:
弹性搜索:
图片:docker.elastic.co/elasticsearch/elasticsearch:7.3.2
端口:9200/TCP、9300/TCP
主机端口:0/TCP,0/TCP
限制:
中央处理器:1
内存:3Gi
请求:
中央处理器:250米
内存:2Gi
环境:
ES_JAVA_选项:-Xms2G-Xmx2G
挂载:
/usr/share/elasticsearch/config/elasticsearch.yml from config(rw,path=“elasticsearch.yml”)
卷数:
配置:
类型:ConfigMap(由ConfigMap填充的卷)
名称:elasticsearch节点
可选:false
批量索赔:
活动:
从消息中键入原因年龄
---- ------ ---- ---- -------
警告失败创建1s(x17超过78s)状态设置控制器在状态设置elasticsearch节点中创建Pod elasticsearch-node-0失败错误:Pod“elasticsearch-node-0”被禁止:无法根据任何Pod安全策略进行验证:[spec.initContainers[0].securityContext.privileged:无效值:true:不允许使用特权容器spec.initContainers[1]。securityContext.privileged:无效值:true:不允许使用特权容器]
已经盯着PSP文档看了一段时间了:我对该页面的理解是,必须将一个可以
使用PSP的角色绑定到服务帐户,您发布的示例甚至没有提到您正在使用的SA,或者您是否采取了任何特殊的RBAC步骤。另外,FWIW,在像您这样的受限集群中,通过另一种机制(DaemonSet
、配置脚本、一式三份的表单等等)请求对节点进行sysctl
更改通常比尝试绕过不受权限的PSP要好得多。您看到了吗?
Name: elasticsearch-node
Namespace: default
CreationTimestamp: Tue, 12 Nov 2019 17:09:50 +0100
Selector: component=elasticsearch,role=node
Labels: component=elasticsearch
role=node
Annotations: <none>
Replicas: 2 desired | 0 total
Update Strategy: RollingUpdate
Partition: 824638159384
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
Pod Template:
Labels: component=elasticsearch
role=node
Init Containers:
increase-vm-max-map-count:
Image: busybox
Port: <none>
Host Port: <none>
Command:
sysctl
-w
vm.max_map_count=262144
Environment: <none>
Mounts: <none>
increase-ulimit:
Image: busybox
Port: <none>
Host Port: <none>
Command:
sh
-c
ulimit -n 65536
Environment: <none>
Mounts: <none>
Containers:
elasticsearch:
Image: docker.elastic.co/elasticsearch/elasticsearch:7.3.2
Ports: 9200/TCP, 9300/TCP
Host Ports: 0/TCP, 0/TCP
Limits:
cpu: 1
memory: 3Gi
Requests:
cpu: 250m
memory: 2Gi
Environment:
ES_JAVA_OPTS: -Xms2G -Xmx2G
Mounts:
/usr/share/elasticsearch/config/elasticsearch.yml from config (rw,path="elasticsearch.yml")
Volumes:
config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: elasticsearch-node
Optional: false
Volume Claims: <none>
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 1s (x17 over 78s) statefulset-controller create Pod elasticsearch-node-0 in StatefulSet elasticsearch-node failed error: pods "elasticsearch-node-0" is forbidden: unable to validate against any pod security policy: [spec.initContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.initContainers[1].securityContext.privileged: Invalid value: true: Privileged containers are not allowed]